Evidence of Program Execution

Question 1

Define UserAssist

Answer 1

UserAssist is where GUI-based programs launched from the Desktop are tracked in the launcher on a Windows system

Question 2

Provide the UserAssist Location

Answer 2

NTUSER.DAT HIVE (NTUSER.DAT\Software\Microsoft\Windiows\CurrentVersion\Explorer\UserAssist\GUID\Count

Question 3

Describe BAM/DAM

Answer 3

Windows Background Activity Monitor - Provides full path of the executable file that was run on the system and the last execution date/time.

Question 4

Provide the BAM/DAM location

Answer 4

WIN10 SYSTEM\CurrentControlSet\Services\bam(dam)\UserSettings\SID

Question 5

Describe RecentApps

Answer 5

Program execution launched on Win10 system is tracked in the RecentApps key.

Question 6

Provide the RecentApps location

Answer 6

WIN10 NTUSER.DAT\Software\Microsoft\Windows\Current Version\Search\RecentApps

Question 7

Describe ShimCache

Answer 7

Tracks executable’s file name, file size, last modified time. Any executable run on the Windows system can be found in this key. You can use this key to identify systems a specific malware was executed on.

Question 8

Provide the ShimCache location

Answer 8

WIN7/8/10 SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

Question 9

Describe Jump Lists

Answer 9

Windows 7 to 10 task bar (Jump List) is engineered to allow users to jump or access items they have frequently or recently used.

Question 10

Provide the Jump Lists location

Answer 10

WIN7/8/10 C:\USERPROFILE\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

Question 11

Describe Prefetch

Answer 11

Increases performance of a system by pre-loading code pages of commonly used applications.

Question 12

Provide the Prefetch Location

Answer 12

C:\Windows\Prefetch

Question 13

Describe AmCache.hve

Answer 13

Entry for every executable run, full path information.

Question 14

Provide the AmCache.hve location

Answer 14

C:\Windows\AppCompat\Programs\Amcache.hve